lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: jlevitsk at joshie.com (Joshua Levitsky)
Subject: Verisign abusing .COM/.NET monopoly, BIND releases new

On Sep 17, 2003, at 5:37 AM, jamie rishaw wrote:

> Please proviede code / config (explain).
>
> On Wed, Sep 17, 2003 at 12:42:19AM -0400, Joshua Levitsky wrote:
>>
>> On Sep 16, 2003, at 11:16 PM, Thor Larholm wrote:
>>
>>> Mail administrators
>>> who use any non-existant DNSBL to mark email as spam suddenly has all
>>> their mails deleted,
>>
>> Actually I figured out how to use it to my advantage. I query "." 
>> which
>> is my own DNS server of course as a ip4r blacklist and if the IP for
>> verisign's site is returned then I give the spam a very high score. 
>> Any
>> domain that doesn't exist would fail this, but any other domain would
>> not return that IP, but rather the proper IP.  I'm still pissed at
>> Verisign, but I always try to turn a problem in to an opportunity so
>> now I'm using their greed to block spam.


I use Declude which is a plugin to IPSwitch's IMail product.

VERISCAM    rhsbl    .    64.94.110.11    1    0

Above is the config line I am using. Basically "VERISCAM" is the name 
of my test. It's a "rhsbl" test which is a Right Hand Side test. Your 
Spam filter software needs to be able to RHS style lookups where it's 
looking at what is to the right of the @ sign. So jlevitsk@...hie.com 
could come from an AOL mail server, but my RHS test looks at joshie.com 
rather than the AOL server that handed the mail to your server. The 
next field is "." which is normally where I put like  
"orbs.dorkslayers.com" or such... the zone that I'm going to query. By 
putting a "." in then it is checking my local zone and so the query 
hits my own DNS. That's just where the query goes. "64.94.110.11" is 
the result I'm looking for from the server. Various ip4r tests result 
in like 127.0.0.2 or 127.0.0.3 and different values normally mean 
different kinds of listings like open relay vs. porn spam ... you get 
the idea. In this case a 64.94.110.11 would return from my own DNS 
server for any @bla.com that did not resolve.

This test catches anyone using phoney domains that don't exist.

-Josh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ